Cisco Annual Security Report

Joining the bandwagon of future tellers, Cisco recently read the collective palm of malcode writers and cybercriminals everywhere and released what they saw in their annual security report.

Seriously though, the report takes perspective on some pretty massive themes and is a worthwhile read for security managers and other interested users. It provides “an overview of the combined security intelligence of the entire Cisco organization”, which is an interesting statement in itself, knowing that the company has over 60,000 full time employees and lots of contracted and outsourced staff.I like its structure and layout, but you’ll still find a lot of questionable statements in its details, so end users might be pretty well confused by some of the key statements.Malware activity gets stuffed under the Vulnerability section. Their crystal ball tells us What to Expect in 2008, partly based on what they have not seen in the past (disregarding the golden rule that absence of evidence is not evidence of absence in the security arena):“More malware may execute in system memory, not on hard drives.”Huh? I can’t remember the last time a piece of malware, or any code for that matter, executed on the hard drive, instead of in the CPU and memory. And what about caching or paging?

Ok, we can get past that statement. The point seems to be that “more” malcode may run on systems without ever touching users’ hard drives: “Malware attacking rootkits that executed entirely in system memory emerged in 2007. As average RAM size continues to increase in the coming year, these strategies will likely grow in popularity”.Imho, not exactly. These strategies have been around for a long time in the underground and cybercriminal coding communities, but it hasn’t been a money maker — Aphex’s downloader circa 1999 is an example. The key feature was that it downloaded any content to memory from a remote location (like a web server) and executed the content in memory without the content ever touching the disk. I am sure his was not the first, but he was one of the first from the shadier side of the underground to develop and publicly release a reliable loading technique like this one on his website. The downloader, and its scanner evasion techniques, just weren’t needed at the time. Problems from using the technique had nothing to do with the size of physical memory on the victim system. But there were easier methods of detection evasion.Kinda confusing.

Anyways, enough of my nitpicking, it is an interesting read with a fine list of key recommendations, predictions, and some exposure to their collected data from 2007. I’ll get through more of the malware section and update this post with notes about what I really like in the report.